Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

CSI Speakers Offer Advice On Risk Assessment, Reporting

Security professionals must not be able to only evaluate risk, but also report it in a way top executives can understand, experts say

WASHINGTON, D.C. -- CSI Annual Conference 2009 -- It's the question only a top-level business manager can ask -- the question all security managers have come to dread.

"How secure are we?"

Nearly every security professional must answer questions like this from time to time -- questions that simultaneously ask about the risk of critical data loss and the real value of security processes, technology, and personnel. At the Computer Security Institute's annual conference here this week, several speakers offered advice on measuring security risks and communicating those risks to top-level managers and executives.

"The operative problem is that you can't really accurately measure security status," said Christopher Michael, director of information assurance at defense contractor BAE Systems. "There's no truly accurate way to do it. But you have to do something to help show risks and benefits because the business demands it."

Bill Mann, senior vice president of security product strategy at CA, offered similar advice in his CSI presentation. "Security people tend to be exact -- they want everything to be 100 percent," he said. "But when you're reporting to upper management, you need to put it out there -- without worrying about everything being perfect."

The key when conveying risks and benefits to top executives, Mann said, is to speak in terms they will understand. "You can't talk about packets," he said. "These guys think in spreadsheets. They think about things like 'impact' and 'likelihood.' Give them some idea of the risk, then give them some options for mitigating them."

Before security professionals approach their management, they must understand the risk themselves, said Rafal Los, senior security consultant for HP's Application Security Center, in his CSI presentation.

"As technology people, we often chase the things that seem to be the biggest risk -- the things that are the most innovative -- without really doing an analysis of the actual risk," Los said. "In most cases, it's not something new, but your legacy systems that pose the highest overall risk right now. It's the things that came before you, but that nobody's looked at for a long time, that you should worry about. Too often, we hyperfocus on new, cool hacks that will never happen, rather than the legacy systems."

In other cases, enterprises may fail to update their risk stance to reflect changes in time or world events. Executives at security vendor NetWitness frequently stated that enterprises and government agencies are preparing for the "cyber threat of 1995" without taking into account the formidable capabilities of today's organized criminals and foreign governments.

"We estimate that there are currently 100 countries that have cyberwar capabilities today, and many of them are more advanced than the organized criminal groups we talk so much about in the security space," said Eddie Schwartz, CSO of NetWitness, in an interview at CSI. "But most companies don't account for that in their security strategies. A lot of companies don't understand the risks associated with contractors or social networking. Most companies still focus on compliance and prevention, but they're fighting a losing battle. We need to rethink the risk equation."

There are many methods for calculating risk, the speakers noted. BAE's Michael recommended the NIST risk management framework, which outlines methods for analyzing the potential impact of a breach, selecting and implementing controls, assessing and monitoring their effectiveness, and reporting residual risk.

The key is creating metrics that can be quantitatively tracked over time, Michael said. He recommended creating a "security risk register," in which the owners of each security-related process identify metrics for that process, including the likelihood of compromise and the consequences of such a compromise.

"Once you have that in place, then the managers can decide which ones are important to them," Michael said. Management may even choose to rank the processes with a quantitative score, which helps the security team focus on those that pose the highest risks. Security teams can also perform a gap analysis for each process, estimating current security status against the highest possible security status for that process, he said.

Compliance is one of the easier security metrics to measure because there are standards to be measured against, Michael said. Cost reduction -- such as the implementation of a self-service password reset process -- and cost avoidance, such as a reduction in breaches, might also be measurable in a way that appeals to management.

But Los cautioned that all mathematical risk models must be tailored to fit the organization's priorities and business models. "There are many mathematical risk management risk models, but 90 percent of them don't apply to the people who are reading them," Los said. "Risk is a company-specific issue. You have to set your own standards for it."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.